Discover Industry-Leading Strategies and Best Practices for Future-Ready Identity and Access Management
It was great to see everyone last week at the 2022 Gartner IAM Summit in Las Vegas and to be part of such an impressive community of seasoned IT & security experts discussing, debating, and sharing insights on the latest industry-leading strategies and technology.
One thing that was immediately clear was that we all share similar challenges -– reducing friction on the end user, empowering the business, self-service access, getting buy-in, and implementing zero trust architectures, to name a few. As the modern risk landscape evolves, the path to cloud identity transformation presents increasingly unpredictable challenges. Add vulnerabilities from remote work and global supply chains to the equation, and the game only gets more complex.
To safeguard data and workforces across IT environments, security leaders are adopting an identity-driven perimeter. And with the right approach, organizations are going beyond compliance to activate IAM as a top-level business enabler as well as a crucial element of security. But this is not a simple prospect, and everyone’s journey is slightly different, which is why sharing expertise and experience is so vital.
Here are some key takeaways we learned from hearing the analysts speak, attending sessions, and talking to our customers at the event:
1. Convergence is Not Optional
The pressure on enterprises to modernize their identity and security platforms has never been higher. As organizations attempt to modernize, however, they are finding an explosion of tools, interfaces, dashboards, alerts, and, yes, identities. Getting these different technologies to work together is a daunting and ever-changing task, and in many cases, it’s impossible. Managing them separately is time-consuming and too complex to be practical.
In a recent Total Economic Impact report on Saviynt’s Enterprise Identity Cloud, Forrester notes how many companies deal with onerous identity and access governance responsibilities using a “combination of on-premises, homegrown tools that require internal coding, regular maintenance and upgrading, and significant management time.” The situation naturally leads toward a demand for simplification, toward technology convergence that includes a centralized hub to manage data, attributes, and information.
Enterprises must exercise caution, however. Often marketers hype “converged identity” despite a lack of true solution convergence. Genuinely converged platforms simplify, unify, and streamline the workflows across distinct tools – while being robust enough to handle modern ecosystems.
2. Cybersecurity Mesh Architecture Continues to Gain Momentum
Identity has become a key component of security, and it’s critical that the identity ecosystem integrates with the security stack. The evolution of cyberattacks and distributed cloud workloads and applications creates a “perfect storm” for IT leaders, suggests Gartner. These changes require that security professionals “integrate security tools into a cooperative ecosystem using a composable and scalable cybersecurity mesh architecture (CSMA) approach.”
The old view of protecting the traditional IT perimeter is being replaced with a more modular approach. CSMA allows security leaders to apply access policies at the identity layer to protect devices and resources. These policies extend across the access path — from data to workload to application — creating integrated security from individual components.
A notable opportunity within CSMA is the emphasis on composability, scalability, and interoperability. This moves security teams from managing fragmented, individually configured services to deploying best-in-class solutions that work together to mature security posture.
According to Gartner, by 2024, adopting a cybersecurity mesh architecture to integrate security tools to work as a cooperative ecosystem will reduce the financial impact of individual security incidents by an average of 90%.
3. There’s a Growing Imperative to Automate and Optimize Policy Management
Although many cloud service providers offer IAM policy generation tools, organizations with complex infrastructures — an increasing number these days — find that individual tools and home-grown solutions lead to human error risk as well as higher operational costs. Meanwhile, the attack surface is expanding. It’s no longer an option to manage entitlements manually and without identity analytics/ML. Given the sheer number of entitlements, automation is now a necessary part of the equation.
Creating a holistic IAM Policy requires you to incorporate all identity, role, and group definitions across the ecosystem. Automated tools enable the organization to aggregate that information, leverage analytics, and create a cohesive definition of identity and access based on user attributes. Automated tools that incorporate intelligent analytics enable you to create attributes such as user, object, action, and environment characteristics and then apply those to how a subject can operate within the environment. These rules provide more detailed and granular access controls.
Using an automated tool that incorporates intelligent analytics for role-mining allows you to find the similarities in definitions and access permissions across the divergent ecosystem to create an authoritative source of identity.
4. The Shift to Machines Requires Better Visibility and Governance
With the increased use of automation — the shift to machines doing more of the work — it is critical to have visibility and governance over what machines have access to. Knowing how many software bots, physical robots, or internet of things (IoT) devices are connected to your network and what they can access is becoming critical.
Today, digital transformation initiatives can spawn thousands or millions of new machine identities. Non-human tools boost productivity, but they also widen threat surfaces. Machine identities can include bots, serverless functions, software-defined infrastructure, administrative roles in cloud accounts, scripts, and other infrastructure-as-code artifacts – identities with no operator or human intervention.
Machine identities need robust governance because they fundamentally behave as privileged users. Enterprises must view them as a security threat – and elevate privilege on a just-in-time basis and deactivate the privilege when the identity is inactive. PAM systems, therefore, must support privileged non-human identities for machines, processes, microservices, and containers in both production and development environments or DevOps, where this model is followed.
This is where converged IGA-PAM systems shine. With them, you can bring machine identity management under a comprehensive IGA/PAM strategy that increases visibility and continuous monitoring. This helps you establish privilege level understanding, access revocation/changes, succession policies, peer and usage data intelligence.
5. How Soon Will Enterprises Adopt Decentralized Identity?
A popular and promising alternative is the decentralized identity approach, one that gives entities self-sovereignty over the verification and authentication process via multiple digital workflows powered by blockchain. On the Gartner Hype Cycle for Digital Identity 2022, decentralized identity is ‘down the slope.’ While the technology exists to implement it, adoption has been slow, given the business case is not as compelling and some liability issues remain.
Gartner writes that because ecosystems are still immature, fully decentralized identity implementations will not fully overtake traditional, centralized identity systems in the near future. However, they note that enterprises must “be prepared to support BYOI mechanisms from multiple decentralized identity networks, especially if [your organization] is responsible for other IAM technologies, such as access management, identity governance, and administration and identity proofing.”
But even with identities increasingly distributed or decentralized, enterprises need to solve for compliance and improved transparency. Those are still the name of the game in ensuring security with the new identity-driven perimeter, as the modern risk landscape evolves.
We enjoyed connecting with our customers and prospects, exchanging security insights, and validating our strategy with research from the experts at Gartner. Looking forward to the next conference as we continue to drive identity innovation.